External Representatives for non-EU based companies according to Art. 27 of the EU General Data Protection Regulation

Representative acc. Art. 27 GDPR

The EU General Data Protection Regulation representative according to Art. 27 GDPR “as a service”

After long years of discussion, the EU has agreed on a new framework for data protection in the European Union – the General Data Protection Regulation (GDPR).

Article 27 of the GDPR introduces the obligation to establish a representative within the EU for companies processing data in the EU but being located abroad.

Who has to designate an EU-representative according to Art. 27 GDPR?

Are you offering goods or services to persons located in the European Union?
Are you monitoring behavior of persons in the EU?

If either one or both questions are answered with yes, then the General Data Protection Regulation (GDPR) requires you to designate a representative – even if you do not have a corporate office located in the EU.

However, processors who

only process data occasionally and

do not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences in their processing, and

the processing is unlikely to result in a risk to the rights and freedoms of natural persons

are exempt from the requirement of designating an EU representative.
The obligation to designate a representative does generally not apply to public authorities and bodies.

Article 27: Representatives of controllers or processors not established in the Union

1. Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union. […]

Article 3: Territorial scope
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

Tasks and requirements of the EU representative according Art. 27 GDPR

The designated representative must be established in one of the EU member states the processing is taking place. There are no minimum requirements with regards to the qualification of your representative. However, it is recommendable to choose a representative with appropriate knowledge of the data protection provisions in the EU since the representative will act as your point of contact for requests by the supervisory authorities or data subjects, i.e. any person being affected by your processing of personal data.

The designation of the representative is made without prejudice to legal actions which could be initiated against you meaning that you will still be required to process personal data of EU resident according to the provision of the GDPR.

Experienced Consultants and data protection officers

We at daschug provide data privacy and compliance services. Through our multiple appointments as external data protection officers for a wide range of companies we are experienced in communicating with supervisory authorities.
All our consultants are fluent in English and have in-depth knowledge of the GDPR provisions and experience in implementation of GDPR regulations in companies of various sizes.

Contact us now

If your company requires an EU representative and wants to benefit from our experience, contact as for further information and a quote.

The GDPR will come in effect on May 25, 2018 – make sure to have designated an EU representative until this date. – We would be pleased to represent you.

We also support in GDPR implemenation and have done this in several companies of various sizes.